The present invention generally relates to user authentication for purposes of secure information exchange and more particularly to a system and method of user authentication over a peer-to-peer network.
With the popularity of portable computing devices (i.e., personal digital assistants (PDA's, cell phones, etc.) increasing, there comes a greater need and ability to share information between devices in mobile and ad-hoc environments where fixed network infrastructure varies or does not exist. Peer-to-peer networks can be established between the devices so that collaborative information can be shared. Ensuring that such networks are secure poses a challenge. A key aspect of that security is ensuring the identity of a peer user in the network (i.e., authentication).
Currently, in the prior art, there exist well-established methods for establishing secure connections between client and server computers where security infrastructure exists. These methods assume that the information required for authentication is present prior to establishing a connection. The methods may use public key cryptography and rely on a certificate authority (CA) for certificate validation. The interaction between a web browser and a secure web server is an example of such a method. The server must present a certificate that has been digitally signed by one of the browser's trusted certificate authorities. Root certificates of major certificate authorities must be pre-installed on the user's computer along with the web browser, allowing the browser to verify the digital signature on the server's certificate. However, these methods may not be appropriate for peer-to-peer networks, in which new peers may be encountered at any time, and there is no central authority to issue certificates.
Pretty Good Privacy (PGP) is a peer-to-peer system of authentication and secure information exchange. Peers obtain copies of each other's certificates and assign a level of trust to the certificate. A peer may be trusted if a copy of its certificate is already present in the local trusted database, or if a trusted peer has digitally signed its certificate.
PGP enables the user to establish a web of trust that can be extended across several degrees of direction. However, this can weaken authentications as the chain between peers extends. Secure authentications can be made indiscriminately as this chain of trust extends between peers.
While PGP eliminates the need for certificate authorities, it still does not address the security needs of real-time peer-to-peer collaboration. PGP is used for non-real-time applications, such as the encryption of files and email. It does not permit a secure connection to be established for ongoing information exchange in real-time. Furthermore, PGP relies upon publicly accessible certificate directories hosted on centralized servers for the distribution of certificates. Additionally, PGP does not separate encryption and the establishment of encrypted connections from authentication.
In a self-organizing system, peers can maintain all authentication information locally. However, the computing and memory constraints of some portable devices limit the capacity of the device to store and retrieve a large number of certificates, which occurs as users enter and leave the network. An additional difficulty arises in how the authentication requirements are imposed on the participants in the network. Particularly, in ad-hoc network configurations common to portable peer-to-peer networks, users may demand more stringent authentication for particular types of applications or activities without relinquishing the potential to exchange information with peers that have not been authenticated as stringently for less secure activities.